Purpose
This Data Retention Policy explains how DraftWise, Inc. (“DraftWise” or “we”) stores, processes and deletes data that comes under its responsibility during the course of normal business operations. DraftWise is committed to taking meaningful steps to protect any data within our responsibility from misuse, loss or unauthorized access. In support of this, our company only maintains data for set periods of time as necessary for certain business operations or to fulfill legal or regulatory requirements in applicable jurisdictions.
Scope
This Policy applies to all information technology systems owned or leased by DraftWise. It is the responsibility of every employee who engages third party-agents, vendors, contractors or business partners (“Third Parties”) to perform services involving access to our systems to ensure that such Third Parties employ security controls and procedures that are at least as protective of our systems as those employed full-time by DraftWise. If and when data falls under individual responsibility, such as printed material or digital content saved on your local machine, this Policy then applies to all employees, contractors, consultants, vendors and other services providers currently working at DraftWise and who handle, manage, store or transmit DraftWise data.
Policy
Additional details on our company’s efforts can be found in our Privacy and Information Security policies.
Data Retention Period
We retain all data for no longer than a maximum period of five (5) years, unless mandated by legal or regulatory requirements. The actual extent of data retention varies according to the specific dataset and business purpose as well as according to DraftWise’s Data Classification Standard or applicable legal or regulatory requirements. At the end of the applicable retention period, we delete the data in our possession or under our responsibility.
Access and Control
Depending on your place of residence or employment, you may be entitled to certain rights over the access and control of your data. If you wish to exercise these rights, please email contact@draftwise.com. We will maintain a record of our communication with you to help resolve any requests.
Right to Object
You may have the right to object to certain types of data processing. We can refuse your right to object where we have processed your data to aid in dealing with any legal claim or legal matter.
Right to withdraw consent
Where we have previously obtained consent as the legal basis for processing your data, you can withdraw consent at any time. The withdrawing of consent in no way impacts the legality of previous data processing prior to the request to withdraw.
Data Subject Access Requests (DSAR)
You can ask us to confirm what information we hold about you at any time as well as requesting us to modify, update, or delete such information. We will ask you to verify your identity and for more information about your request. You will not be charged for this request unless it is “unfounded” or excessive. If you make multiple requests for the same data, we may charge an administrative fee if we receive identical requests that require extended processing.
Right to erasure
You have the right to request that we erase certain data.
Legal Basis
Legitimate Interest
Article 6-1-f of the GDPR states that we can process your data where “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.”
Contract as a legal basis for processing data
The ICO states that Article 6(1)(b) gives you a lawful basis for data processing where: “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”
Legal Obligation
There may be times when DraftWise has to exercise or defend a legal claim and in doing so may need to process your details for this purpose. Article 6(1)(c) provides a lawful basis for processing where: “Processing is necessary for compliance with a legal obligation to which the controller is subject.”